Introduction
This document describes the difference of NAT technique from 8.2 to 8.3.
Problem
Currently user is using ASA 8.2 and he is planning to upgrade to 8.3. He has mentioned a scenario which is shown below:
Inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and user wants traffic to traverse between the two interfaces, He could write the following statement:
static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
What would this look like in 8.3?
Solution
In the 8.3+ software levels user dont need any NAT configuration between 2 interfaces if he/she dont need to specifically NAT something.
If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)
If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured.
In 8.3 version nat statement depends on object. You need to create object for the source ip as well nat ip and call the object in nat statement.
Object network <obj-name>
Host/Range/Subnet IP Address
Object network obj-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Exit
Nat (inside,mpls) sourse static obj-10.10.10.0 obj-10.10.10.0
This statement will work in similar way which you expect. You can mention nat wit respect to specific destination (similar to policy nat)
Nat (inside,mpls) source static obj-10.10.10.0 obj-10.10.10.0. Destination static obj-4.4.4.4 obj-4.4.4.4
Source Discussion
8.2 to 8.3 static nat question
